News Brief

OCC emphasizes compliance’s role in FI’s operational resiliency


Compliance departments at financial institutions must become more involved in ensuring their firm’s operational resiliency to address emerging risks, the Treasury Department’s Office of the Comptroller of the Currency said in its semi-annual risk perspective.

SEC office

News Brief

SEC orders R.R. Donnelley to pay $2.1M over cyber-related control violations


A business communications and marketing services company agreed to pay more than $2 million to settle charges levied by the Securities and Exchange Commission over cybersecurity-related control violations.


News Brief

DOJ orders consultants to pay $11.3M total for cyber rule violations


Guidehouse and Nan McKay and Associates will pay a total of $11.3 million to the Department of Justice (DOJ) to settle allegations that cybersecurity failures led to the theft of client personal information during the height of the COVID-19 pandemic.

columnist dale


Top-of-mind takeaways from TPRM Summit


Top-of-mind issues addressed at Compliance Week’s Third-Party Risk Management & Oversight Summit, held June 3-4 in Atlanta, included safe deployment of artificial intelligence, assessing vendor viability and sustainability, understanding the role of procurement in risk ranking, the intersection (or lack thereof) between data privacy and cybersecurity, and many others.

Intercontinental Exchange

News Brief

SEC orders Intercontinental Exchange to pay $10M over Reg SCI violations


Intercontinental Exchange and nine affiliates agreed to pay $10 million for allegedly failing to inform the Securities and Exchange Commission of a cyber intrusion as required by Regulation Systems Compliance and Integrity.


News Brief

​SEC official clarifies material incident reporting under new cyber rule


Erik Gerding, director of the Securities and Exchange Commission’s Division of Corporation Finance, issued a statement addressing early inconsistencies observed under the agency’s new cybersecurity incident disclosure rule.

Water system

News Brief

EPA warns of increased cybersecurity scrutiny toward water systems


The Environmental Protection Agency is increasing its inspections of public drinking water systems after finding a majority of those reviewed were vulnerable to cyberattacks and related threats.



California privacy reg seeking more input on new rules


Businesses will receive additional time to weigh in on proposed regulations by the California Privacy Protection Agency regarding risk assessments, cybersecurity audits, automated decision-making, and data broker registration before they’re potentially finalized later this year.


News Brief

SEC amends Reg S-P to require data breach notification within 30 days


The Securities and Exchange Commission will require broker-dealers and registered investment advisers to adopt written policies and procedures for handling data breaches of customer data and notify affected customers within 30 days.

New York cyber-security

News Brief

NYDFS offers cyber rule compliance template for small businesses


The New York State Department of Financial Services issued guidance for small businesses attempting to comply with its cybersecurity regulations.

Cybersecurity icons


Survey: Public companies fear added cyber risks from SEC disclosures


Large public companies say they are prepared to comply with the disclosure requirements of the SEC’s new cybersecurity incident rule, according to a survey conducted by Compliance Week and DLA Piper, but concerns exist that those reports could enhance the threat of future cyberattacks.



Report: Human error driving growing number of data breaches


Verizon’s annual data breach report shows trends in cybersecurity incidents, including more ransomware and extortion attacks last year.


News Brief

Federal banking regulators issue TPRM guidance for community banks


The Federal Deposit Insurance Corporation, Federal Reserve Board, and Office of the Comptroller of the Currency combined to provide guidance on third-party risk management focused on the unique risks faced by community banks in their third-party relationships.

Screenshot 2024-05-06 132406


White paper: SEC doubles down on cyber risk management accountability

2024-05-05T17:30:00+01:00Provided by and

To help investors gain a better understanding of cyber risk, the US Securities and Exchange Commission (SEC) has created sweeping new rules—forcing companies to take a more proactive approach to cybersecurity.


News Brief

Insight Global to pay $2.7M over lax security on contact tracing data


Atlanta-based staffing agency In­­­­­­sight Global agreed to pay $2.7 million to settle alleged False Claims Act violations for failing to provide adequate cybersecurity on Covid-19 contract tracing data.

Health data

News Brief

State AGs tell UnitedHealth to do more in cyberattack aftermath


UnitedHealth Group’s response to a major cyberattack in February that wreaked havoc with medical payments nationwide has been “inadequate” and must be improved immediately, a group of 22 state attorneys general told the company.

FTC seal

News Brief

Mobile health apps must follow FTC breach notice rule after update


Mobile health applications and similar technologies must notify customers following a data breach or risk violating the Federal Trade Commission’s health breach notification rule.


News Brief

Czech DPA fines Avast $15M over GDPR violations


The Czech Republic’s data protection authority issued a fine of 351 million Czech koruna (U.S. $15 million) against antivirus software vendor Avast for alleged violations of the General Data Protection Regulation.


News Brief

Change Healthcare cyberattack updates detail massive impact, costs


The massive cyberattack on Change Healthcare has potentially compromised the personal and protected health information of an untold number of Americans, according to parent company UnitedHealth Group.

Screenshot 2024-04-23 122022


White paper: Automate to Accelerate: Overcoming Staffing and Compliance Challenges in Cyber Risk Management

2024-04-22T19:00:00+01:00Provided by

Spending countless hours tracking down controls evidence for your audit and compliance activities is an annoyance at best and a major drag on productivity and effectiveness at worst.



CPE Webcast: Doubling down on compliance: Deep dive into SEC cybersecurity regulations

2024-04-09T14:00:00+01:00Provided by

KPMG and ServiceNow experts will delve into best practices to help you not only understand the new regulations but also navigate critical regulatory challenges by highlighting how a platform like ServiceNow can help with compliance.


News Brief

AT&T: Data leak exposed info of 73M customers onto dark web


AT&T said personal account data on approximately 73 million current and former customers was released on the dark web two weeks ago but has not yet identified when and where the breach occurred.


News Brief

CISA teases cyber incident reporting rule for critical infrastructure


Financial businesses and other critical infrastructure entities would have to report significant cybersecurity and ransomware incidents to the federal government under a new rule that will be proposed by the Cybersecurity and Infrastructure Security Agency.

Deutsche Bank

News Brief

Deutsche Bank dinged $54K over IT incident reporting


Deutsche Bank was assessed a penalty of €50,000 (U.S. $54,000) by Germany’s financial supervisory authority for its alleged miscommunication of a 2023 information technology security incident.


News Brief

Departing ABN AMRO risk chief says climate, cyber among priorities


Tanja Cuppen, chief risk officer of ABN AMRO, shared her view on the Dutch bank’s biggest risk focus areas and the accomplishments of her tenure a month ahead of her planned departure.

Privacy Shield


Privacy by design a silver bullet for stemming AI risks?


The proliferation of artificial intelligence technologies—and their reliance on publicly available data—has reinforced the need for tech developers and the companies using their solutions to ensure privacy by design and by default is at the crux of any offering.

Health data

News Brief

Change Healthcare facing HHS probe following crippling cyberattack


Change Healthcare, a health payment processor hit by a crippling cyberattack in February, is under investigation by the Department of Health and Human Services’ Office for Civil Rights.

OCC sign


U.S. banking regs mulling enhanced operational resiliency frameworks


Acting Comptroller of the Currency Michael Hsu said federal banking agencies are considering enhancements to their operational resiliency requirements for member banks.

Reserve Bank of New Zealand

News Brief

New Zealand banks to report material cyber incidents within 72 hours


The Reserve Bank of New Zealand added new reporting requirements for its member banks to follow if they suffer a material cyber incident and for all types of cyberattacks.


News Brief

​Italian DPA fines UniCredit $3M over data breach GDPR lapses


The Italian data protection authority announced a fine of €2.8 million (U.S. $3 million) against UniCredit for alleged violations of the General Data Protection Regulation regarding insufficient security measures the bank had in place during a cyberattack.

White House

News Brief

Biden executive order to target commercial data broker activities


A new executive order seeks to put clamps on the sale of Americans’ personal data by data brokers and other companies to certain countries found to be of national security concern.

AI for business


CW National 2024 preview: Diana Kelley on AI implications for compliance


Artificial intelligence expert Diana Kelley will discuss what AI means for organizations and explore the technology’s implications for compliance and enterprise risk as part of a keynote address at Compliance Week’s National Conference in Washington, D.C.

DOJ wall


DOJ official: Expect more cybersecurity false claim enforcements


The announcement of a record year in several areas of False Claims Act enforcement at the Department of Justice was accompanied by a warning that more significant cases are coming, particularly regarding cybersecurity-related claims.

Cloud Computing


Toeing the ‘fine line’ of cloud security compliance


When organizations move their data or operations to the cloud, the compliance team has their work cut out and then some, experts discussed at CW’s Cyber Risk & Data Privacy Summit.

Health data

News Brief

Montefiore Medical Center to pay $4.8M over employee’s data theft


Montefiore Medical Center agreed to pay $4.75 million to settle allegations by the Department of Health and Human Services’ Office for Civil Rights that failures by the New York City nonprofit facility allowed an employee to steal and sell patient information for six months.

Google HQ

News Brief

Alphabet to pay shareholders $350M over Google+ privacy lapses


Alphabet, the parent company of technology giant Google, agreed to pay $350 million in a preliminary settlement with shareholders over alleged data privacy violations and materially false and misleading statements linked to now-defunct social media site Google+.

Data breach


Experts: Good data breach response grounded in preparation


Two chief compliance officers and an attorney discussed preparation for the “when, not if” threat of a data breach during a panel at CW’s Cyber Risk & Data Privacy Summit.


News Brief

Clorox discloses $49M hit from cyberattack


Cleaning products company Clorox disclosed the major cybersecurity incident that led to a shutdown of its automated order processing late last year has cost it about $49 million.


News Brief

Blackbaud avoids fine in FTC deal requiring data deletion


Software company Blackbaud will be required to delete unnecessary data and boost cybersecurity as part of a proposed settlement with the Federal Trade Commission stemming from a 2020 data breach.


News Brief

N.Y. sues Citi for lax data security, failing to reimburse fraud victims


Citibank faces a lawsuit from New York Attorney General Letitia James for allegedly failing to protect and reimburse customers who lost thousands of dollars in fraudulent wire transfers.

Cyber locks


Consultation opens debate on proposed U.K. cyber governance code


Cybercrime is regularly cited as a leading concern for executives, yet board oversight of cyber risks is often inadequate and governance poorly understood, according to the authors of a proposed U.K. code of practice on cybersecurity governance.



New DOJ cyber section wants more private sector partnership


Cooperation between businesses and the new cybersecurity section at the Department of Justice has led to the successful defanging of numerous, major ransomware operations worldwide in just the few months since its creation, according to its chief.

Computer hacked


OFAC official urges company transparency on ransomware events


Despite its reputation as a fierce enforcer of sanctions, the Office of Foreign Assets Control has a softer side and wants to help companies that are hit with ransomware attacks, according to the agency’s senior compliance officer.


News Brief

VF discloses data breach impacted 35.5M customers


Apparel company VF Corp., the owner of brands including The North Face, Vans, and Timberland, disclosed its estimation approximately 35.5 million customers had their personal data stolen as part of a cybersecurity incident it uncovered in December.


News Brief

Robinhood Financial to pay $7.5M in Mass. settlement


Online stock trading platform and broker-dealer Robinhood Financial agreed to pay a $7.5 million fine as part of a settlement with the Commonwealth of Massachusetts addressing claims related to “gamification” of its platform and cybersecurity issues that lent to a 2021 data breach.


News Brief

Genesis Global Trading fined $8M by NYDFS over AML, cyber lapses


Virtual currency brokerage firm Genesis Global Trading agreed to pay an $8 million penalty levied by the New York State Department of Financial Services for alleged compliance failures that left it vulnerable to illicit activity and cybersecurity threats.



NIST report: Mitigating the risks of cyberattacks on AI systems


Cyberattacks on artificial intelligence systems are increasing, so it’s important users know their vulnerabilities and try to soften the damage if they get hit, according to a new report by the National Institute of Standards and Technology.



Deepfakes: A silent threat to digital integrity and AML efforts

2024-01-11T13:00:00+00:00By Rezaul Karim, CW guest columnist

Deepfakes have emerged in the digital world as a silent pandemic threatening not only our digital integrity but becoming a major risk to anti-money laundering efforts.



CPPA preview: Cybersecurity audit regs nearing formal proposal


Companies with business in California could face tough new cybersecurity mandates under draft regulations that could be headed for formal rulemaking as soon as Friday.

FINRA New York

News Brief

FINRA report: Exam trends on off-channel comms, crypto, cybersecurity


A new report from the Financial Industry Regulatory Authority provides observations from examiners on emerging issues affecting the industry, including surveilling potential use of off-channel communications by employees, crypto-asset developments, cybersecurity trends, and more.